search

terraform-google-modules / terraform-google-iam

Manages multiple IAM roles for resources on Google Cloud
https://registry.terraform.io/modules/terraform-google-modules/iam/google
Apache License 2.0
189 stars 171 forks source link

service_accounts_iam submodule does nothing #160

Closed ikegentz closed 1 year ago

ikegentz commented 2 years ago

TL;DR

Other IAM modules work great, but no matter what arguments I pass to the service_accounts_iam module, it does not do anything. I can pass no arguments, complete gibberish, or something valid, but this module always returns empty lists/maps and doesn't create any resources. It seems to just use the default values no matter what is passed to it.

Expected behavior

google_service_account_iam_member resources to be created per the arguments passed.

Observed behavior

Nothing happens. No state is created, no resources are created, outputs always return as:

members = tolist([])
roles = tolist([])
service_accounts = tolist([])

Terraform Configuration

# Grantee(s), receives the role
    bindings = {
        "roles/iam.serviceAccountTokenCreator" = [
            "serviceAccount:<my_account_A>@<project_name_A>.iam.gserviceaccount.com"
        ]
    }

    # Grantor(s), grants the role
    seviceAccounts = [
        "<my_service_account_B>@<project_name_B>.iam.gserviceaccount.com"
    ]

    mode = "additive"
    # project // unset

### Terraform Version

```sh
Terraform Version: 1.2.3
Terragrunt Version: 0.38.0

Additional information

I am using Terragrunt. This has been working great with all of the other IAM modules. I have tried with several different version of Terragrunt/Terraform, all yielding the same results.

I am attempting to grant a service account (my_service_account_A) in projectA, permissions on another service account (my_service_account_B) in projectB. Therefore I have tried setting the project variable to either project, and also leaving it blank/unspecified. Does not seem to affect the output.

I can pass in arguments that aren't specified as variables to the module, and still get the same result. e.g.

inputs = {
...
dummy_arg = "dummy output"
...
}

I would expect an error from such inputs

github-actions[bot] commented 2 years ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

ikegentz commented 2 years ago

For reference, I am able to get this module working by re-writing it in the following way:

main.tf

resource "google_service_account_iam_member" "roles" {
  for_each           = toset(var.roles)
  service_account_id = var.grantor_sa_full_name
  member             = "serviceAccount:${var.grantee_sa_email}"
  role               = each.key
}

variables.tf

variable "grantor_sa_full_name" {
  type        = string
  description = "Full name (format: 'projects/<project_id>/serviceAccounts/<sa_email>) for the SA on which we want to grant the permissions FROM"
}

variable "grantee_sa_email" {
  type        = string
  description = "Email for the SA on which we want to grant the permissions TO"
}

variable "roles" {
  type        = list(string)
  description = "Roles which we want to grant to the grantee, onto grantor"
}

outputs.tf

output "grantee" {
  value = var.grantee_sa_email
}

output "grantor" {
  value = var.grantor_sa_full_name
}

output "roles" {
  value = var.roles
}
g-awmalik commented 1 year ago

hey @ikegentz - I'm not able to reproduce the problem you've mentioned here. The identities e.g. user/group/sa are added as members with the associated roles to the SAs passed into the service_accounts list. I've confirmed it by running:

gcloud iam service-accounts get-iam-policy <resource_sa_email>

Can you share your config here so we can try and reproduce what you're experience with the module?

ikegentz commented 1 year ago

@g-awmalik Now I'm unable to reproduce this either. Must have been something fixed in a new version or user error. Setting bindings, serviceAccounts, mode, and project everything appears to be working as intended.